Networking :: IPTABLES DNAT For Packets Originated Within The "firewall"?

Aug 26, 2010

I'd like to (if it's possible, of course) to redirect the packets originated within a linux box, and I've been tryin' to do it through the OUTPUT chain in nat table:

Code:

iptables -t nat -A OUTPUT -p tcp -d 192.168.0.74 --dport 80 -j DNAT --to-destination 192.168.0.17:80

The policy for the rest is ACCEPT.This redirection didn't work this way. If I do lynx http://192.168.0.74:80 I reach 192.168.0.74 host, so there is no redirection.Could I achieve what I'm needing through with IPTABLES' OUTPUT chain (in nat table)?

View 1 Replies


ADVERTISEMENT

Ubuntu Networking :: Iptables And DNAT ?

Mar 10, 2011

I'm having a complicated iptables problem. I'm using a linux poweredge 1750 with 4 ethernet interfaces and 1 wireless interface as a router/firewall/wireless access point.

The Computers on the inside can connect and communicate just fine. The access the outside world and other internal devices with no problems.

DNAT from the outside works just fine for things like ssh, webmin and http. But some protocols and services (ftp with filezilla and runuo) use ports to connect. And then, it is like they hand off the rest of the communication to other seemingly randomly determined ports. And that is when the conversation gets dropped. How do I configure my router to notice these port changes and continue to DNAT the conversation?

View 2 Replies View Related

Networking :: Using Iptables Dnat For Redirection?

Oct 18, 2010

I have been trying to achieve something through iptables but something is going wrong. I want connection/packets arriving to a specific computer (let's call it "server") from another specific computer ("client") inside the same network to be automatically redirected to a remote computer in the internet and vice-versa. I tried doing that using iptables with these commands on the "server" PC:

Code:
iptables -t nat -A PREROUTING --source 'client-ip' -j DNAT --to-destination 'remote-pc-ip'
iptables -t nat -A PREROUTING --source 'remote-pc-ip' -j DNAT --to-destination 'client-ip'

[code]....

View 2 Replies View Related

Networking :: Firewall - Allow Packets Coming From Internet After Authenticating And To By Pass Packets Generated From Internal LAN?

Feb 8, 2010

i have a linux server runnig oracle applications. i need to access this server from putty using ssh through internet. i did by registering my static ip with the dnydns.org and i am able to connect to the server. but now there is no security to authenticate any user as any one knowing the password can login to it.

i thought of configuring the firewall of linux server but the client ip`s are not static and they change continiously. so thought of keeping one more pc between the server and the router which will do the work of authenticating. but i am confuse as how to configure it to allow the packets coming from the internet after authenticating and to by pass the packets generated from internal LAN?

View 8 Replies View Related

Networking :: DNAT IPtables - Default Gateway For Return Packages

Nov 26, 2009

Client which uses an ISP with a Linux machine (Server 1) with two network cards. Eth0 with ip 1.1.1.2 and gateway 1.1.1.1 these ip's is not public ip's and falls unders the isp's internal range, eth1 with the internal ip range. OpenVPN listen on eth0 for incoming connections. We want to connect to Server1 from external networks. Due to different reasons the isp could not get the routing sorted and give us an public ip on his network. We had to setup another bos (Server2) with eth0 2.2.2.5 and gateway 2.2.2.1 which is public ip's and eth1 with ip 3.3.3.5. Server 2 can communicate via the ISP internal network with server 1. I use DNAT to forward all incoming connections on server 2 to server 1 but the problem I have is that server uses its default gateway for the return packages and does not sent the reply back to server 2. My iptables rules looks as follows on server 2.

/usr/sbin/iptables -t nat -A PREROUTING -p udp -i eth0 -d 196.25.157.135 --dport 1194 -j DNAT --to 192.168.100.170:1194
/usr/sbin/iptables -A FORWARD -p udp -i eth0 -d 192.168.100.170 --dport 1194 -j ACCEPT

View 5 Replies View Related

Networking :: Dropped Packets On Firewall

Jan 11, 2010

I've recently installed Ubunter 9.10 Server Edition to use as a NAT firewall for the lab I run. I'm using iptables to do NAT forwarding and everything works great except that, occasionally, connections seem to break. Ssh connections close with "Connection reset by peer" and HTTP connections just stall out.I believe this has to do with the firewall's internal network interface occasionally dropping packets.

View 2 Replies View Related

Ubuntu Networking :: Packets DROPPED By Firewall?

Mar 13, 2010

I am using ubuntu 9.10. Configuring my firewall using guarddog. I have setup a rule to allow traffic OUT on port 7078 UDP, and just because i'm having problems i added an IN rule.

# Create the filter chains
# Create chain to filter traffic going from 'Internet' to 'Local'
ipchains -N f0to1

[code]....

View 2 Replies View Related

Networking :: Iptables REDIRECTing - All Outgoing Packets ?

Dec 6, 2010

I've been trying to redirect all outgoing packets (destined for a specified ip address) from my slack box back to itself. I thought this could be done with iptables, but if I fire up wireshark I can clearly see that the packets are getting out to the real server and I'm getting responses from it.

So here's what I tried:

All looks good and fine, and then I even try to visit 194.28.157.42 with firefox (by the way I am running a webserver, that is set to show a page when you visit 127.0.0.1) and I get an error page that reads: 502 Bad Gateway.

I ignored this message to see what the program I'm trying to interrupt does, and when I start wireshark and then start the program that is using that website, I can clearly see that the packets make it to the real 194.28.157.42 and get back responses.

View 1 Replies View Related

Networking :: Iptables Routing Packets On Same Sub-network

Feb 17, 2010

I am running into trouble while trying to set-up a iptables routing policy. I have two machines on the same sub-network (xxx.xxx.153.0). One of the machines is used as a default gw for the other (xxx.xxx.153.250 is a gateway for xxx.xxx.153.142 and xxx.xxx.153.254 is a gw for xxx.xxx.153.250). There is no explanation for why the xxx.xxx.153.250 is in the middle -- xxx.xxx.153.142 can go straight to xxx.xxx.153.254, but is is like that for now.I am trying to find an iptable rule to be executed on the xxx.xxx.153.250 machine to route the packets.

View 3 Replies View Related

Networking :: Redirecting Packets To Virtual Machine With Iptables

Mar 16, 2011

I had been running my SMTP server with WINE, as the SMTP server software is a Windows-based program (MERCURY), but I cracked the shits with WINE and removed it. Now I am running my SMTP server in a Windows virtual machine.This virtual machine has a different IP address from my host machine, so what I need is for my computer (the host) to redirect incoming traffic on port 25 to the virtual machine at 192.168.56.101 on port 2525.Can someone please help me with it? I think its done with iptables.

View 1 Replies View Related

Networking :: Interesting Distribution Of Packets Over Iptables Rules

Mar 13, 2011

I'm trying to configure NFS sharing behind a firewall, I got it to work and all but I was caught by something that (to me anyways) seems odd.I've been able to mount the export on another computer and am transferring files over as we speak, but I'm just interested in knowing why the RELATED,ESTABLISHED rule seems to be catching almost all the traffic coming from the other node. Any ideas? Should I be concerned that my firewall isn't protecting anything or something?

View 1 Replies View Related

Networking :: SIP Packets Mysteriously Disappearing / When Iptables-nat Activated

Sep 10, 2010

I have a very weird case in my firewall.I have an asterisk server and some phones and between them there is a linux firewall based on iptables.With basic rules on iptables everything works ok, but when I put a single nat rule (no matter what rule I use) some packets from some phones misteriously disappear from interfase to interfase.

Clearer:The firewall has two interfases: eth0 (pointing to phones) and eth2 (pointing to asterisk).One problematic phone is 192.168.3.242, so I use tcpdump this way.

View 14 Replies View Related

CentOS 5 Networking :: View The Packets Saved By Iptables?

Jun 26, 2009

if am using --log-prefix "BANDWIDTH_OUT:" --log-level 7 to capture packets, I think is there a way to view these?

View 4 Replies View Related

Networking :: IPTables / SSH Connection To .150 - The Packets Are Still Handled By .150 After Adding The Rules

Jul 2, 2010

I two servers set up: 192.168.1.150 and 192.168.1.160 Initially, I want all traffic to be served by server 150. So for this purpose I am leaving the IPTables on .150 empty. At a point in time, I want to forward all incoming traffic to be served by .160 instead. I have accomplished this using these commands (on .150):

iptables -t nat -A PREROUTING -j DNAT --to 192.168.1.160
iptables -t nat -I POSTROUTING -j MASQUERADE

My problem is that if I have an open SSH connection to .150 (prior to adding the rules), the packets are still handled by .150 after adding the rules.. e.g. my SSH session stays active. I want these packets to be forwarded to .160, which would effectively disconnect the SSH session. I do not want the packets flat out dropped, I just want them forwarded on in whatever state they are in. If I try a new SSH session, it is properly forwarded to .160

View 5 Replies View Related

Networking :: Promiscuous Interface And Iptables To Receive Packets Not Destined To Localhost

Mar 22, 2010

I am trying to do something outlandish with iptables (or so I think!).I have a source sending udp packets to a destination (say dst11). Using port mirroring I am able to get all these packets to a different machine (say dst22). I am able to see these packets on dst22 interface using tcpdump.I want to analyze the packets on dst22. So what I do is put dst22 interface in promiscuous mode (using ifconfig eth0 promisc). This in theory should get the packet through the MAC layer. Now using iptables I am trying to DNAT the packets in nat prerouting to change the packets destination IP to dst22's interface and change the destination port.

View 2 Replies View Related

Networking :: Comparing IPTables And Firewall Program?

Sep 10, 2010

I have to make my final exam on network & security, my task is to compare Iptables and a firewall program, yeah not a distribution. I use Archlinux so I'd like to continue use it for my project! Anyway my question is: which Network firewall could be the best one? I need this features:

- packet filtering
- HA (High Availability)
- Live (active) connection migration (if one fails...)
- Load balancing (not really important but...)

I know "many" firewalls but they all are distro. I need something to install on a linux machine (as said... better if I can run it directly on Archlinux!)

View 2 Replies View Related

Networking :: Configure My Firewall (through Iptables) To Allow Apt-get Features

Apr 26, 2010

I am encountering problems to configure my firewall (through iptables) to allow apt-get features, like update and install.I have the latest debian server running in a virtual machine in my windows xp and therefore I have two interfaces in this debian server:- NAT Interfaceinet: 10.0.2.15- Host Only Interfaceinet: 192.168.56.101So far my iptable rules drop all packets for default, in exception icmp and ssh that I allow to ping and connect from my windows xp. Both of them I use only the Host interface (192...) to connect to another 192... interface on my windows.

Those are working fine, but apt is not. I know, in this very moment it shouldn't. But I made a lot of attempts trying to configure the iptables allow connections through the 80 and 21 ports from/to NAT and Host. I think I made all possible combination (or not, because it didnt work). But I'm wondering if someone more experient can help me solve this problem.

View 11 Replies View Related

Networking :: Firewall Installed Using IPtables - NAT Rules?

Apr 7, 2010

I just install 1 firewall using Iptables.
Firewall includes 2 NIC:
NIC1 <IP PUBLIC>
NIC2 192.168.10.1
I installed 1 web server IP: 192.168.10.2
I have some PC IP range: 192.168.10.10->20

I set rules NAT on firewall and PC & web server can connect internet good, but I have problems:
When PC access to web server with IP 192.168.10.2 that ok, but PC can't access to web server when using IP Public. But outside internet, I can access to web server using IP Public.

Rules on IPTables
Code:
# Generated by iptables-save v1.3.5 on Sun Mar 7 21:01:16 2010
*nat
:PREROUTING ACCEPT [950:126970]
:POSTROUTING ACCEPT [89:5880]
:OUTPUT ACCEPT [19:1342]
-A PREROUTING -d 209.99.242.124 -i eth0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.10.2:80
-A POSTROUTING -s 192.168.10.0/24 -o eth0 -j SNAT --to-source 209.99.242.124
*filter
:INPUT DROP [1599:157409]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [232:34452]
-A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth1 -o eth0 -j ACCEPT
-A FORWARD -i eth0 -o eth1 -d 192.168.10.2 -p tcp --dport 80 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth1 -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -o eth1 -j ACCEPT
COMMIT

View 2 Replies View Related

CentOS 5 Networking :: Firewall Insanity Iptables And Apf Don't Seem To Like Each Other?

Aug 13, 2009

I'm at my wits end at this point.

CentOS 5
iptables 1.4.1.1
APF 9.7
Webmin 1.4.80 (yes i can be a gui noob at times)

I'm currently running a dedicated server that hosts a couple of sites and runs a game server or two. I was using iptables on its own for a while, but recently I'm a target of all sorts of attacks (typically aimed directly at the gameserver on port 7777. UDP flood attacks, etc). I'm also seeing an spike in foreign spam, SSH brutes, and a few people in Turkey thought it would be cute to download files over and over and over I have decided to start banning entire countries, using the subnets listed here [URL]... I'm trying to block Central and South america (189,190,200,201.x.x.x), China, Ukraine, Turkey, Iran, Spain and Italy. I do this because a majority of the traffic from those areas are usually up to no good.

I installed APF so I could easily add these ranges in deny_hosts.rules and be done with it. I added the ranges, which turned out to be too many, and the system tanked. I decreased the amount of ranges to just 4:

189.0.0.0/8
190.0.0.0/8
200.0.0.0/8
201.0.0.0/8

Restarted APF and it loaded fine. Do an apf --list and iptables --list and it shows those 4 ranges as blocked. The only issue...I have people from 190.x and 200.x connecting to the gameserver and PLAYING. Its as if the firewall isnt there. Also, adding those ranges to /etc/hosts.deny (or whatever) doesn't block them either.

I add one of my own ips and I get blocked instantly. WTF?? I look in the iptables for webmin, and it shows an empty firewall. I do iptables --list and it shows the ranges I added in APF. I'm looking at building (or whatever its called) an fresh iptables with the geoip module added in. [URL]...

I've never done anything like this, and I don't want to kill the box. I also don't want to spend the effort if 1) something is wrong with my system to begin with and 2) the geoip module doesn't work. geoip module aside....how exactly should i configure the firewall? Empty iptables completely and then rely on APF for everything? Oh and heres another tidbit: I tried this before 2 years ago and it used to be that anything I put in APF would show when i looked at iptables using the webmin module. Thats no longer the case now. That was also on CentOS 4 when it did that. I don't know if moving to 5 is whats preventing it now.

In a nutshell, I'm new at this and I'm being inundated with terrible people trying to do terrible things and I'm ready to just give up. Can someone just give me a quick rundown on:

1) how to test that my firewall is actually firewalling

2) how I should configure the/a firewall on this CentOS5. Not too specific, I just want to know if I should empty iptables then load apf, should i not bother with APF (i like it when it works), is there a specific order of doing things?

View 8 Replies View Related

Networking :: Setup Iptables Firewall And DMZ With Multiple Public IP's?

Nov 27, 2008

We have a new Bussiness DSL line with 16 public addresses.What we want is to setup a DMZ to run some services and internet to the LAN. Here's a schematic of what we want:

Code:

Backup Internet Main Internet
connection connection
| |
| |
SDSL Modem BDSL Modem

[code]....

The webserver has the following settings:

IP: 12.34.56.125
subnet: 255.255.255.240
gateway: 12.34.56.126

What IPTABLES rules do i need to setup to "see" all IP's in the DMZ-2 from the internet?

View 2 Replies View Related

General :: When Restart The Iptables Service Then The Firewall Entries Are Again Shown In Iptables?

Sep 17, 2010

I am facing a strange problem witht my iptables as there are some firewall entries stored somewhere which is displaying the below firewall entries even after flushing the iptables & when I restart the iptables service then the firewall entries are again shown in my iptables as shown below,

[root@myhome ~]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination

[code]....

View 6 Replies View Related

Ubuntu Networking :: Iodine Not Working Unless Iptables Firewall Turned Off

Sep 28, 2010

I have managed to get iodine working between my ubuntu intrepid box and my windows client with a caveat.

The firewall rules allows DNS queries inbound. The client tunnel endpoint gets assigned an IP address and the tunnel is established properly.

However when I try to ping from the client machine, the reply packets are not coming back.

I used TCPDUMP on the Ubuntu box and watch the dns0 tunnel interface, and noticed that the packets are reaching the Ubuntu box from the client, but I don't see ANY ICMP echo replies until I turn off the firewall from Firestarter.

I see that outbound access rule is to allow all.

View 1 Replies View Related

Fedora :: IPtables Creates An Error During Startup - Applying Firewall Rules: Iptables-restore: Line 21 Failed

Jul 17, 2010

IPtables creates an error during startup as well as when I try to restart it: Here's the output of:

[Code]....

View 11 Replies View Related

Networking :: Iptables + Squid + Dansguardian - Boxes Will Act As A INTERNET Firewall + Filtering?

Jan 14, 2011

is this possible on 2 Linux boxes will act as a INTERNET Firewall + Filtering: 1st PC = CENTOS 5.5 functions as a firewall using iptables with two NICS 1=ETH0 connected to internet with a public ip and 1=ETH1 with ip address of 10.0.0.1 connected to the 2nd PC Centos 5.5 with squid/dansguardian with ip address of 10.0.0.2

2nd PC = Centos 5.5 functions as a squid + dansguardian internet filtering with 2 NICS 1=ETH0 with ip address of 10.0.0.2 connected to the ETH1 of the 1st PC with ip address of 10.0.0.1 and 2nd ETH1=connected to LAN (172.16.1.0/24)

does this make sense? this might be confusing but I just want to try this, to protect incoming ssh from our previous Sys admins who intended to enter the LAN 172.16.1.0/24 network. And also to confuse them that they have to pass through 10.0.0.1 - 2.

View 3 Replies View Related

Security :: Use Iptables As Firewall Instead Of Juniper Firewall?

May 9, 2011

Can we use iptables as firewall instead of Juniper firewall

View 2 Replies View Related

Networking :: Route Eth2 TCP Packets To Tun0 With IPTABLES And IP RULE/ROUTE?

May 8, 2011

I have 3 network interfaces on my Linux Router :

Interface - Gateway - Type

Code:

br0 - 192.168.0.1 - Internet
eth2 - 192.168.1.1 - LAN
tun0 - 10.0.0.2 - VPN (via br0)

What I'd like to do is to route all TCP packets coming from eth2 to tun0 where a VPN client is running on 10.0.0.2. If I delete all default routes and if I add a new route to tun0 like :

Code:

route del default
route add default gw 10.0.0.2

Everything is fine, and everyone on eth2 can reach the Internet using the VPN access. Now the problem is that my VPN client does not allow any other protocols other than TCP. And I also want to allow VPN access only to eth2, no other LAN nor the router itself. use iptables to filter any TCP packets and mark them, so they can be sent to tun0, while any other packets can reach the Internet via br0 (192.168.0.1). I found on the Internet that we can mark packets before they get routed. Using the following commands :

Code:

iptables -t mangle -A PREROUTING -j MARK --set-mark 85 -i eth2 -p tcp --dport 80
ip route add table 300 default via 10.0.0.2 dev tun0
ip rule add fwmark 0x55 table 300

First of all, --dport 80 never work... :/ I wanted to filter TCP 80 packets coming from eth2, but none of them seems to be HTTP packets... oO (very strange...). Nevermind, I decided to forget about the --dport option. I use the "iptables -L -v -t mangle" command to see how many packets are marked, and it is working fine, all TCP packets coming from eth2 are marked. Now the problem is that none of them are routed to tun0 they are all respecting the "route -n" rules... and not the "table 300" rule I have created.

View 4 Replies View Related

Networking :: Use Iptables In Order To Forward All The Incoming Packets For Port 5555 To Port 5556?

Apr 4, 2011

I'm trying to use iptables in order to forward all the incoming packets for port 5555 to port 5556 on the same server (192.168.2.101).

I wrote the following commands:

iptables -A PREROUTING -t nat -i any -p tcp --dport 5555 -j DNAT --to 192.168.2.101:5556
iptables -A FORWARD -p tcp -m state --state NEW -d 192.168.2.101 --dport 5556 -j ACCEPT

View 3 Replies View Related

Programming :: Drop Packets (not Iptables) In C / C++

May 24, 2010

I have tried to google it around and couldn't find any good solution for it. What I want is to hook up to the kernel network hooks and for example investigate all of the packets (maybe keep some in the buffer and drop in the kernel so I could send them out lets say 10 minutes later) but from a C / C++ program perspective / level. I know it can be done via iptables but isn't there a way to do it from a program ?? I have found a library called ipq but apparently doesn't work with kernel 2.6.x anymore.

View 10 Replies View Related

Networking :: DNAT On First SYN ACK Packet

Aug 19, 2010

I am trying to simply address translate TCP packets from one destination IP to another destination IP (DNAT?) without getting the initial SYN packet. Is this possible? I do not think it is with DNAT since the conntrack needs SYN first.

I have given the command:

The problem is that the first packet that matches this rule will be the SYN-ACK and I suspect it is simply DROPPED.

I am sparing you the gory details of why I would do such a silly thing, but simply put; I need to intercept client-to-server packets through a tunnel, but allow server-to-client packets to follow through the regular network.

I have been working on this for many days w/o success and my learning curve is still steep. I can provide more details as needed.

View 2 Replies View Related

General :: Iptables Drop Fake Ip Packets?

Jun 2, 2011

I'm trying to drop all packets from the internet that use a fake ip address so they appear to come locally.

Do I need both lines or only the first ?

--append INPUT ! --in-interface lo --source 127.0.0.0/8 --jump DROP
--append INPUT ! --in-interface lo --destination 127.0.0.0/8 --jump DROP

View 1 Replies View Related







Copyrights 2005-15 www.BigResource.com, All rights reserved